Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter.

Bank are making billions on electronic economy - they scarf 1-3% of every transaction - just for handling the transfer. They have been pushing electronic transfers - debit and credit cards as an alternative to cash.

The government likes it because now they have a record of virtually every cash transaction you make - read the ironically titled “Bank Secrecy Act” if you think the governement doesn’t have full access to your account informtion. What do they care if the system isn’t secure? You should have bought “idenity protection”, bub!

According to the article, they were able to compromise a web server to gain access to the network. From there they could deploy the malicious code to the POS devices and also set up a data collection point on another one of Target's servers. The malicious code on the POS devices would send the credit card data to this collection point as the card was swiped. The bad guys were able to log on to the collection server to gather the data whenever they felt like it.

"The malicious code on the POS devices would send the credit card data to this collection point as the card was swiped. The bad guys were able to log on to the collection server to gather the data whenever they felt like it."

I guess the net admins never heard of router security protocols. There shouldn't be open routes (unauthorized IP addresses) between internal servers. We can rest easy at night that our grid is just a secure.

17
posted on 01/16/2014 9:54:07 AM PST
by uncommonsense
(Liberals see what they believe; Conservatives believe what they see.)

We had a break-in on a box and my Server2008 box was audited because the pwn3d server tried to get in. When I told them my only local user id, they responded “How did you think of something that convoluted?”.

I guess the same way you thought of using “fred” as a local acct on your server.
Now the server emails me for every incorrect login.

20
posted on 01/16/2014 10:03:41 AM PST
by AppyPappy
(Obama: What did I not know and when did I not know it?)

"But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Targets internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.

The bad guys were logging in remotely to that [control server], and apparently had persistent access to it, a source close to the investigation told KrebsOnSecurity. They basically had to keep going in and manually collecting the dumps"

21
posted on 01/16/2014 10:03:54 AM PST
by uncommonsense
(Liberals see what they believe; Conservatives believe what they see.)

I’d guess the glory of the network, the POS computers talk to local servers to update inventory and other stuff, those servers talk to WAN servers to meta all that data, and those servers can connect to other server that run basic parts of the network, which in turn are talked to by laptops run by office drones that surf porn at work. Nobody keeps domains separate anymore, creates too much work when the same stuff (like Office apps) are needed in multiple domains, they setup lots of two-way trusts and viruses spread.

How would malware get into the POS system? You cant use a cash register to go surfing on porn.com

POS endpoints have to be connected, otherwise they could now work to verify credit cards. usually such embedded devices have minimal OS and network services so there aren't a lot of weak processes to try to take over. However they probably have a mechanism to upgrade/patch the software on them remotely, and to do that you generally need a port that can push software in. That might be a way the attackers got in.

One trick they use is to send data that's way too big for the buffer (sort of like the "inbox") so that the data overflows into areas of memory it's not supposed to go to. That can crash the system and force a reboot and if you planted bad stuff on it, it will load at the reboot. Really clever hackers can do far more.

26
posted on 01/16/2014 10:26:14 AM PST
by pepsi_junkie
(Who is John Galt?)

Looks like the hackers breached a web server and then logged onto POS servers which control the POS devices. What’s disturbing is that the hackers had a persistent connection and periodically downloaded data.

29
posted on 01/16/2014 10:47:45 AM PST
by BuckeyeTexan
(There are those that break and bend. I'm the other kind. ~Steve Earle)

NOTE: If this blogger, KrebsOn Security hadn’t received a tip and researched it, then published it, none of us would have known about it. Target never even admitted it happened until two days after he published the info, and never, ever did anything to recompense customers. Even their offer of free credit monitoring came weeks after the news broke.

30
posted on 01/16/2014 10:51:00 AM PST
by JoyjoyfromNJ
(everything written by me on FR is my personal opinion & does not represent my employer)

I can see how the POS data could be collected by this malware and sent to some obscure place on Target’s servers for later collection by the bad guys, but how did it get there? I suspicion that someone within Target’s IT department with access may have done this and opened a back door for the bad guys to retrieve the hacked information. It is also possible that someone could do this by hacking into the system from outside, but then why pick Target instead of some more high end stores where customers have more to steal?

You guys are forgetting that other data sources have your info without you doing any online transactions. Consider the IRS records, local county tax records, real estate records, credit report companies, etc. You may not enter or place your info online, but somebody else does.

36
posted on 01/16/2014 1:14:46 PM PST
by SgtHooper
(If at first you don't succeed, skydiving is not for you.)

You’d be foolish to omit network vulnerabilities as part of the issue. As a server administrator and network engineer, I can tell you that everything from your ISP modem to your iPhone are scanned on a regular basis from points all around the world for port and protocol vulnerabilities every day, every hour, every minute.

I run a VM server and host several gaming clan sites and voice services from my home, and my logs are flooded with requests from all over the globe: Romania, France, Sweden, Russia, China, Vietnam, the Phillipines, Venezuela, Brazil, you name it. I’ve set up filters on my proxies to prevent IPs from Russia and China, specifically, but my firewall logs are constantly hammered. They’re scanning every possible port from lowly SSH (22) up through the higher random ports most Windows systems use (1024-65K). If they find something, they’ll get in.

This is where I tell everyone who is using Windows XP to STOP USING WINDOWS XP! I don’t care if you’re in your 60s and XP “just works,” for us younger whippersnappers, there’s nothing more laborious or frustrating than getting a call from our elders about computer problems and coming to find out you’re running XP. Would you still be driving around an Edsel if you could? C’mon! XP is a giant vulnerability matrix. You’re on your own VERY soon, as MS no longer supports the OS in any way.

Many POS systems are running XP or some screwy Windows variant. There are plenty of FREE Linux distros for POS. Most large businesses like Target don’t want to invest the money for the right people to do a large-scale implementation, but we do exist.

41
posted on 01/16/2014 2:05:02 PM PST
by rarestia
(It's time to water the Tree of Liberty.)

“You guys are forgetting that other data sources have your info without you doing any online transactions. Consider the IRS records, local county tax records, real estate records, credit report companies, etc. You may not enter or place your info online, but somebody else does.”

One of the most vulnerable places is our health care system even before Obozo Care.

Medicare, Medicaid and most insurance companies use one # for patients, our Social Security #.

Many medical providers do a credit check so they have that number/data.

Many providers seem to prefer being paid by credit card, if so they have that number.

If you pay by check, they have all of your banking numbers.

Often the lowest paid people in a medical office have full access to all of the above, plus your medical history.

Last summer, our FP/s retired or went to a big HMO.

So we had to fill out all of the data above to be seen. The local group’s site was not verified and brought up warnings from my internet provider and services like Norton. I told our new FP, and he laughed until I showed him the warnings. He made a couple of quick calls, and the patient side of their site was shut down until a new site was opened up. Their current site is verified and seems okay now.

Another site a surgical specialty site has yet to get its act together. We pay our bills with electronic checks or cash.

Another specialty medical site had a similar problem, and that seems to be okay since they merged with the local hospital, which is part of a big California hospital organization. This organization has a lot of employee unrest and union battles which is not a reassurance.

Last but not least are the Store discount cards which market/mine our private data. The one such card I have, I am St Nick, born on the 4th of July in 1918. In five years, only one clerk has picked up on my fantasy ID, and she just laughed.

I'll say! Actually I do. Devices that are targets for this kind of attack shouldn't be able to be remotely flashed with new software. It's convenient for the people who manage them, but so what, it's not their money to be putting at risk.

44
posted on 01/16/2014 2:58:47 PM PST
by Still Thinking
(Freedom is NOT a loophole!)

Devices that are targets for this kind of attack shouldn't be able to be remotely flashed with new software. It's convenient for the people who manage them, but so what, it's not their money to be putting at risk.

Barring doing the safest thing (not allowing remote flashing of code) they should at minimum have monitoring that alerts when code is added or changed.

I’m not even saying flashing shouldn’t be “allowed”. I’m saying it should be impossible. Whatever code the devices run should be in hardware, requiring physical contact to reload. If it’s a permission thing, there might be some way for them to end run it.

46
posted on 01/16/2014 3:34:38 PM PST
by Still Thinking
(Freedom is NOT a loophole!)

Agreed. Perhaps the only saving grace is that greed may overtake the hackers to the extent that large sums of money are detected as moving from place to place and catches the eye of Law Enforcement. If they stay small, they likely will never be caught. There are simply too many sources from which to piece together a user profile and then raid their accounts. Especially when governments support this type of behavior.

47
posted on 01/16/2014 3:38:55 PM PST
by SgtHooper
(If at first you don't succeed, skydiving is not for you.)

I am 100% behind you, but it's not going to happen. The buggy software that we squeeze out now days needs to be patched too often. IMHO we are on the precipice of a software crisis where our systems are too big and too convoluted for anyone to understand. They are poorly designed and hurriedly slapped together with little or no QA. They are riddled with security flaws. If we could not continuously push out bug fixes, nothing would work. And now, this is all catching up with us. God help us.

Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.